Security Check-in Quick Hits: GitHub Probe, RaaS Alliances, Signed Malware Disruption, and a $76M Crypto Exploit

For May 20, 2026

GitHub Investigating Unauthorized Access to Internal Repositories (TeamPCP Claims)

Recent discussions on X highlight GitHub’s ongoing investigation into unauthorized access to its internal repositories, with claims linked to threat actor TeamPCP.

TeamPCP has a history of supply chain attacks, including compromises of tools like Trivy and Checkmarx GitHub Actions earlier in 2026, where attackers stole CI/CD secrets and injected infostealers. This latest incident raises concerns about potential downstream risks to developers relying on GitHub’s ecosystem. Organizations should audit dependencies, rotate secrets, and monitor for anomalous repository activity. GitHub has not confirmed full details, but vigilance in supply chain security remains critical as these attacks cascade through open-source tooling.

BreachForums and The Gentlemen Announce Alleged RaaS Partnership Expansion

Underground forum BreachForums has reportedly partnered with the ransomware group “The Gentlemen” to expand Ransomware-as-a-Service (RaaS) operations. This includes recruiting affiliates, initial access brokers, pentesters, and infrastructure operators for coordinated global attacks.

This move signals increasing professionalization of cybercrime ecosystems, where forums act as centralized hubs for talent, tools, and monetization. The Gentlemen have faced their own internal leaks recently but continue aggressive campaigns. Defenders should prioritize segmentation, backup strategies, and monitoring for common RaaS tactics like double extortion. This collaboration could accelerate ransomware incidents across sectors.

Microsoft Disrupts Fox Tempest Malware-Signing-as-a-Service (MSaaS) Operation

Microsoft, with Resecurity, disrupted Fox Tempest—a financially motivated actor running a malware-signing service that abused Microsoft Artifact Signing to generate trusted, short-lived certificates for malicious code. Over 1,000 fraudulent certificates were revoked.

The operation, active since at least May 2025, allowed ransomware and other malware to bypass controls by masquerading as legitimate software (e.g., mimicking AnyDesk or Teams). It impacted healthcare, education, government, and financial sectors globally. This highlights risks in code-signing infrastructure and the need for identity validation, certificate monitoring, and behavioral detection beyond signatures. Kudos to the disruption effort, but it underscores how threat actors exploit trusted platforms.

$76M Exploit Hits Echo Protocol on Monad Blockchain

In a major crypto incident, Echo Protocol on the Monad chain suffered a ~$76.7M exploit. An attacker allegedly used a compromised admin key to mint 1,000 unauthorized eBTC tokens, laundered portions via Curvance and bridges, and routed funds through Tornado Cash. The attacker still controls significant value.

This marks another high-profile DeFi hack, exposing governance weaknesses like single-sig admins and lack of mint caps/timelocks. Cross-chain protocols remain high-risk; users and projects should demand better key management, audits, and monitoring. The rapid timeline (third major exploit in days) shows persistent smart contract and operational security challenges in crypto.

Stay secure out there—patch aggressively, monitor supply chains, and treat admin keys like crown jewels. These hits remind us that threats evolve fast, but so do defenses.